Git-Mirrors
/
plague-kernel
mirror of https://0xacab.org/optout/plague-kernel.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Reinitializing repository

This commit is contained in:
arcanedev 2022-04-20 20:10:27 +00:00
commit ea25866646
No known key found for this signature in database
GPG Key ID: 13BA4BD4C14170C0
2 changed files with 7732 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7514
.config Normal file
View File

File diff suppressed because it is too large Load Diff

218
README.md Normal file
View File

@ -0,0 +1,218 @@
### Install dependencies
- `xbps-install -Sy make gcc xz elfutils elfutils-devel flex ncurses-devel openssl openssl-devel argp-standalone gcc-ada mpc libmpc-devel gmp-devel`
### Steps to create
- `cd /usr/src/`
- `/usr/bin/curl --verbose --tlsv1.3 --proto =https -L -O --url "https://github.com/anthraxx/linux-hardened/archive/refs/tags/5.10.<latest_version>-hardened1.tar.gz"`
- `tar -xvf 5.10.<latest_version>-hardened1.tar.gz`
- `cd 5.10.<latest_version>-hardened1`
- `make oldconfig`
- `make menuconfig` # (if any changes are required)
- `make --jobs=4` # start compiling
- `make modules_install` # create /lib/modules/$kver
- `cp ./arch/x86_64/boot/bzImage /boot/vmlinuz-5.10.<latest_version>-hardened1_1 && dracut --kver 5.10.<latest_version>-hardened1_1 --force`
- `grub-mkconfig -o /boot/grub/grub.cfg`
- `xbps-reconfigure -fa`
### Steps to import/configure release
- Built into PlagueOS installer
### Troubleshooting:
- `lsinitrd -v /boot/initramfs-5.10.<latest_version>-hardened1_1.img`
#### Additional Resources:
- https://www.kernel.org/doc/html/v5.10/
- https://github.com/Whonix/hardened-kernel
- https://docs.clip-os.org/clipos/kernel.html
- https://github.com/anthraxx/linux-hardened
- https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
- https://notabug.org/anonymous-lestat/Void-Hardened-Kernel
- https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel
### Trimming Efforts
- While linux-hardened security patchsets along with kernel configurations are notable for this kernel project, the core purpose was to practice minimalism by reducing the size of the linux kernel, thereby cutting attack surface. This is not a trivial thing to record, therefore we are displaying the size purely as a point of comparison.
| |PlagueOS (plague-kernel) |Whonix (LTS)|
|--- | --- | ---|
|Size (compressed)|159.8 MB |285.6 MB|
### Current kconfig-hardened-check results
#### Successes
Option | Desired Value | Source | Reason | Result |
|--- | --- | --- | --- | --- |
CONFIG_BUG | y |defconfig | self_protection | OK
CONFIG_GCC_PLUGINS | y |defconfig | self_protection | OK
CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection | OK
CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection | OK
CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection | OK
CONFIG_REFCOUNT_FULL | y |defconfig | self_protection | OK: version >= 5.5
CONFIG_IOMMU_SUPPORT | y |defconfig | self_protection | OK
CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection | OK
CONFIG_THREAD_INFO_IN_TASK | y |defconfig | self_protection | OK
CONFIG_VMAP_STACK | y |defconfig | self_protection | OK
CONFIG_MICROCODE | y |defconfig | self_protection | OK
CONFIG_RETPOLINE | y |defconfig | self_protection | OK
CONFIG_X86_SMAP | y |defconfig | self_protection | OK
CONFIG_SYN_COOKIES | y |defconfig | self_protection | OK
CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection | OK
CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection | OK
CONFIG_INTEL_IOMMU | y |defconfig | self_protection | OK
CONFIG_AMD_IOMMU | y |defconfig | self_protection | OK
CONFIG_SECURITY_DMESG_RESTRICT | y | kspp | self_protection | OK
CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection | OK
CONFIG_DEBUG_WX | y | kspp | self_protection | OK
CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection | OK
CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection | OK
CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection | OK
CONFIG_SHUFFLE_PAGE_ALLOCATOR | y | kspp | self_protection | OK
CONFIG_FORTIFY_SOURCE | y | kspp | self_protection | OK
CONFIG_DEBUG_LIST | y | kspp | self_protection | OK
CONFIG_DEBUG_SG | y | kspp | self_protection | OK
CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection | OK
CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection | OK
CONFIG_INIT_ON_ALLOC_DEFAULT_ON | y | kspp | self_protection | OK
CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection | OK
CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection | OK
CONFIG_HARDENED_USERCOPY | y | kspp | self_protection | OK
CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection | OK
CONFIG_HARDENED_USERCOPY_PAGESPAN | is not set | kspp | self_protection | OK
CONFIG_MODULE_SIG | y | kspp | self_protection | OK
CONFIG_MODULE_SIG_ALL | y | kspp | self_protection | OK
CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection | OK
CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection | OK
CONFIG_INIT_STACK_ALL_ZERO | y | kspp | self_protection | OK: CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL "y"
CONFIG_INIT_ON_FREE_DEFAULT_ON | y | kspp | self_protection | OK
CONFIG_GCC_PLUGIN_STACKLEAK | y | kspp | self_protection | OK
CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection | OK
CONFIG_DEBUG_VIRTUAL | y | clipos | self_protection | OK
CONFIG_EFI_DISABLE_PCI_DMA | y | clipos | self_protection | OK
CONFIG_SLAB_MERGE_DEFAULT | is not set | clipos | self_protection | OK
CONFIG_RANDOM_TRUST_BOOTLOADER | is not set | clipos | self_protection | OK
CONFIG_RANDOM_TRUST_CPU | is not set | clipos | self_protection | OK
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE | is not set | clipos | self_protection | OK
CONFIG_STACKLEAK_METRICS | is not set | clipos | self_protection | OK
CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection | OK
CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection | OK
CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection | OK
CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection | OK
CONFIG_AMD_IOMMU_V2 | y | my | self_protection | OK
CONFIG_SECURITY | y |defconfig | security_policy | OK
CONFIG_SECURITY_YAMA | y | kspp | security_policy | OK
CONFIG_SECURITY_WRITABLE_HOOKS | is not set | my | security_policy | OK: not found
CONFIG_SECURITY_LOCKDOWN_LSM | y | clipos | security_policy | OK
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | clipos | security_policy | OK
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | clipos | security_policy | OK
CONFIG_SECURITY_SAFESETID | y | my | security_policy | OK
CONFIG_SECCOMP | y |defconfig | cut_attack_surface | OK
CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface | OK
CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface | OK: CONFIG_DEVMEM "is not set"
CONFIG_ACPI_CUSTOM_METHOD | is not set | kspp | cut_attack_surface | OK: not found
CONFIG_COMPAT_BRK | is not set | kspp | cut_attack_surface | OK
CONFIG_DEVKMEM | is not set | kspp | cut_attack_surface | OK
CONFIG_COMPAT_VDSO | is not set | kspp | cut_attack_surface | OK: not found
CONFIG_BINFMT_MISC | is not set | kspp | cut_attack_surface | OK
CONFIG_INET_DIAG | is not set | kspp | cut_attack_surface | OK
CONFIG_KEXEC | is not set | kspp | cut_attack_surface | OK
CONFIG_PROC_KCORE | is not set | kspp | cut_attack_surface | OK
CONFIG_LEGACY_PTYS | is not set | kspp | cut_attack_surface | OK
CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface | OK
CONFIG_IA32_EMULATION | is not set | kspp | cut_attack_surface | OK
CONFIG_X86_X32 | is not set | kspp | cut_attack_surface | OK
CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface | OK
CONFIG_OABI_COMPAT | is not set | kspp | cut_attack_surface | OK: not found
CONFIG_DEVMEM | is not set | kspp | cut_attack_surface | OK
CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface | OK: CONFIG_DEVMEM "is not set"
CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface | OK
CONFIG_ZSMALLOC_STAT | is not set |grsecurity| cut_attack_surface | OK
CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface | OK
CONFIG_DEBUG_KMEMLEAK | is not set |grsecurity| cut_attack_surface | OK
CONFIG_BINFMT_AOUT | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_KPROBE_EVENTS | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_UPROBE_EVENTS | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_FUNCTION_TRACER | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_STACK_TRACER | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_HIST_TRIGGERS | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_BLK_DEV_IO_TRACE | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_PROC_VMCORE | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_PROC_PAGE_MONITOR | is not set |grsecurity| cut_attack_surface | OK
CONFIG_USELIB | is not set |grsecurity| cut_attack_surface | OK
CONFIG_CHECKPOINT_RESTORE | is not set |grsecurity| cut_attack_surface | OK
CONFIG_USERFAULTFD | is not set |grsecurity| cut_attack_surface | OK
CONFIG_HWPOISON_INJECT | is not set |grsecurity| cut_attack_surface | OK
CONFIG_MEM_SOFT_DIRTY | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface | OK
CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface | OK
CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface | OK
CONFIG_FAIL_FUTEX | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_PUNIT_ATOM_DEBUG | is not set |grsecurity| cut_attack_surface | OK
CONFIG_ACPI_CONFIGFS | is not set |grsecurity| cut_attack_surface | OK
CONFIG_EDAC_DEBUG | is not set |grsecurity| cut_attack_surface | OK
CONFIG_DRM_I915_DEBUG | is not set |grsecurity| cut_attack_surface | OK
CONFIG_BCACHE_CLOSURES_DEBUG | is not set |grsecurity| cut_attack_surface | OK
CONFIG_DVB_C8SECTPFE | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_MTD_SLRAM | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_MTD_PHRAM | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_IO_URING | is not set |grsecurity| cut_attack_surface | OK
CONFIG_RSEQ | is not set |grsecurity| cut_attack_surface | OK
CONFIG_LATENCYTOP | is not set |grsecurity| cut_attack_surface | OK
CONFIG_KCOV | is not set |grsecurity| cut_attack_surface | OK
CONFIG_PROVIDE_OHCI1394_DMA_INIT | is not set |grsecurity| cut_attack_surface | OK
CONFIG_SUNRPC_DEBUG | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_PTDUMP_DEBUGFS | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_DRM_LEGACY | is not set |maintainer| cut_attack_surface | OK
CONFIG_BLK_DEV_FD | is not set |maintainer| cut_attack_surface | OK
CONFIG_AIO | is not set |grapheneos| cut_attack_surface | OK
CONFIG_STAGING | is not set | clipos | cut_attack_surface | OK
CONFIG_KSM | is not set | clipos | cut_attack_surface | OK
CONFIG_KALLSYMS | is not set | clipos | cut_attack_surface | OK
CONFIG_X86_VSYSCALL_EMULATION | is not set | clipos | cut_attack_surface | OK
CONFIG_KEXEC_FILE | is not set | clipos | cut_attack_surface | OK
CONFIG_USER_NS | is not set | clipos | cut_attack_surface | OK
CONFIG_X86_MSR | is not set | clipos | cut_attack_surface | OK
CONFIG_X86_IOPL_IOPERM | is not set | clipos | cut_attack_surface | OK
CONFIG_ACPI_TABLE_UPGRADE | is not set | clipos | cut_attack_surface | OK
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS | is not set | clipos | cut_attack_surface | OK
CONFIG_LDISC_AUTOLOAD | is not set | clipos | cut_attack_surface | OK
CONFIG_X86_INTEL_TSX_MODE_OFF | y | clipos | cut_attack_surface | OK
CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface | OK
CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface | OK: not found
CONFIG_KPROBES | is not set | lockdown | cut_attack_surface | OK
CONFIG_TRIM_UNUSED_KSYMS | y | my | cut_attack_surface | OK
CONFIG_MMIOTRACE | is not set | my | cut_attack_surface | OK: not found
CONFIG_LIVEPATCH | is not set | my | cut_attack_surface | OK: not found
CONFIG_IP_DCCP | is not set | my | cut_attack_surface | OK
CONFIG_FTRACE | is not set | my | cut_attack_surface | OK
CONFIG_VIDEO_VIVID | is not set | my | cut_attack_surface | OK: not found
CONFIG_INPUT_EVBUG | is not set | my | cut_attack_surface | OK
CONFIG_INTEGRITY | y |defconfig |userspace_hardening | OK
CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | OK
#### Fails
Option | Desired Value | Source | Reason | Result |
|--- | --- | --- | --- | --- |
CONFIG_SLUB_DEBUG | y |defconfig | self_protection | FAIL: "is not set"
CONFIG_X86_UMIP | y |defconfig | self_protection | FAIL: "is not set"
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT | y | kspp | self_protection | FAIL: not found
CONFIG_UBSAN_BOUNDS | y |maintainer| self_protection | FAIL: not found
CONFIG_UBSAN_SANITIZE_ALL | y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y"
CONFIG_UBSAN_TRAP | y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y"
CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection | FAIL: "is not set"
CONFIG_SECURITY_LOADPIN | y | my | security_policy | FAIL: "is not set"
CONFIG_SECURITY_LOADPIN_ENFORCE | y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN not "y"
CONFIG_MODULES | is not set | kspp | cut_attack_surface | FAIL: "y"
CONFIG_KCMP | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_FB | is not set |maintainer| cut_attack_surface | FAIL: "y"
CONFIG_VT | is not set |maintainer| cut_attack_surface | FAIL: "y"
CONFIG_MAGIC_SYSRQ | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_X86_CPUID | is not set | clipos | cut_attack_surface | FAIL: "m"
CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface | FAIL: "y"
CONFIG_IP_SCTP | is not set | my | cut_attack_surface | FAIL: "m"
```
Totals: 'OK' - 147 / 'FAIL' - 17